DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-664H-GPGQ-H6XX: GHSA-664h-gpgq-h6xx: Privilege Escalation via Broken Authorization in n8n Evaluation Test Runs Controller

#security #cve #cybersecurity #ghsa

GHSA-664h-gpgq-h6xx: Privilege Escalation via Broken Authorization in n8n Evaluation Test Runs Controller

Vulnerability ID: GHSA-664H-GPGQ-H6XX
CVSS Score: 5.4
Published: 2026-06-17

An incorrect authorization vulnerability exists in the open-source workflow automation platform n8n within the Evaluation Test Runs Controller. In deployments utilizing Advanced Permissions, an authenticated user assigned a low-privilege project:viewer role can bypass configured permission policies. This allows the unauthorized user to execute, terminate, or delete workflow evaluation test runs by exploiting misconfigured API scope validations that map read-only scopes to mutating endpoints.

TL;DR

A scope misconfiguration in n8n's Evaluation Test Runs Controller allows authenticated, read-only 'viewer' accounts to trigger, cancel, and delete workflow test runs without proper authorization.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863 (Incorrect Authorization)
  • Attack Vector: Network
  • CVSS v3.1: 5.4
  • Exploit Status: Proof of Concept / Technical details understood
  • Required Privilege Level: Low (project:viewer)
  • Impact: Integrity Loss, Denial of Service (Testing Pipelines)

Affected Systems

  • n8n Enterprise Edition with Advanced Permissions enabled
  • n8n Cloud Edition with Advanced Permissions enabled
  • n8n: < 1.123.55 (Fixed in: 1.123.55)
  • n8n: >= 2.0.0 < 2.25.7 (Fixed in: 2.25.7)
  • n8n: >= 2.26.0 < 2.26.2 (Fixed in: 2.26.2)

Mitigation Strategies

  • Immediately update n8n to versions 1.123.55, 2.25.7, 2.26.2, or subsequent releases
  • Audit active Advanced Permissions allocations to ensure users are granted minimal necessary roles
  • Audit application server access logs for anomalous POST/DELETE actions targeting evaluation endpoints

Remediation Steps:

  1. Identify the current deployment version and licensing model of the n8n instance.
  2. Schedule a maintenance window to perform database backups and stop n8n application processes.
  3. Pull and deploy the patched image or update the npm dependency version to a verified release (1.123.55, 2.25.7, or 2.26.2).
  4. Restart the application services and monitor system logs for normal initialization.
  5. Conduct validation testing with a low-privilege viewer credential to confirm that requests to start, cancel, or delete evaluation runs return a 403 Forbidden status code.

References

Read the full report for GHSA-664H-GPGQ-H6XX on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)